Of all the tools rushed to market to help companies comply with Sarbanes-Oxley Act (SOA) requirements, the potential of those developed by the Enterprise Resource Planning (ERP) vendors themselves is particularly intriguing. The first releases were pretty basic, but some new products show promise.
The Bottom Line: Oracle’s recent update of its Internal Controls Manager (ICM) shows strong progress toward the vision of an integrated ERP compliance tool, with functionality staying ahead of the SOA deadlines.
What It Means: Several early users of ICM are readying for their first internal controls attestations, including one company that has a fiscal year ending in December. Section 404 of the act requires this documentation of business processes and internal controls. As expected, the companies are readying their compliance framework for this summer or early fall so they can operate and test the controls for a full quarter or two before the fiscal year ends.
Internal controls tools, such as ICM, are still a work in progress and won’t be built out completely for several releases. Oracle’s first release was merely a framework for capturing risk and controls documentation, similar to what many audit firms and consultants used, which was sufficient to get the documentation started for Section 404.
But the second release is starting to deliver on the promise of an integrated product:
- Segregation of duties enforcement--Automates ongoing checks that the security configuration is consistent with the documented internal controls. One company noted that the security information was built into more than 16,000 forms, making it costly to analyze manually.
- Integrated audit and review--Manages lists of tasks for testing the controls and organizes the findings. The new release makes it easier for each signing officer and manager to see and drill down into the controls they are responsible for and see the progress of the tests and open issues.
- Integrated project management--Internal controls testing is still people-intensive, with some companies expecting about 1% of their employees to directly use the ICM application, including the corporate officers who sign off for the SEC. The efforts can be planned and tracked with Oracle’s standard project management capabilities to it get done on time and budget.
- Extensive use of workflow--ICM-related tasks are managed under the ERP package’s workflow, which many of the project participants already use for their daily activities.
- Tools for external auditor--Provides special views to help the auditor check and verify controls, making use of the preparatory work done by the company.
Internal controls management is becoming embedded in the ERP application, and with each release more controls are available and more automated tests are possible. It also facilitates pushing the controls lower in the organization, spreading the burden and embedding the controls in standard work processes. The Takeaway: This will be vital to reducing audit costs over the long term.
The major downside for some companies is that these integrated capabilities require an up-to-date release of the ERP software. One customer had to patch its 11.5.8 system up to what is essentially 11.5.9, which triggered all the regression-testing of an upgrade. The Takeaway: Coordinate your upgrade and internal controls efforts--the automation may become an important source of benefits to justify an upgrade.
Conclusion: Products like ICM have great potential for companies with highly consolidated and widely deployed ERP systems. Keep in mind that much of the benefit is yet to come. For example, companies are looking forward to being able to baseline the configuration of the ERP system and notify the appropriate managers if key parameters are changed. Even if you have used different tools to capture your risks and controls so far, consider your vendor’s capability as part of your next ERP upgrade or project.
AMR Research originally published this article on 21 April 2004.